EP3267348B1 - Method and apparatus for recognizing risk behavior - Google Patents

Method and apparatus for recognizing risk behavior Download PDF

Info

Publication number
EP3267348B1
EP3267348B1 EP16758446.5A EP16758446A EP3267348B1 EP 3267348 B1 EP3267348 B1 EP 3267348B1 EP 16758446 A EP16758446 A EP 16758446A EP 3267348 B1 EP3267348 B1 EP 3267348B1
Authority
EP
European Patent Office
Prior art keywords
behavior
risk coefficient
users
determining
link
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP16758446.5A
Other languages
German (de)
English (en)
French (fr)
Other versions
EP3267348A1 (en
EP3267348A4 (en
Inventor
Renxin MAO
Chao Sun
Xinkai LI
Dijun HE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to PL16758446T priority Critical patent/PL3267348T3/pl
Publication of EP3267348A1 publication Critical patent/EP3267348A1/en
Publication of EP3267348A4 publication Critical patent/EP3267348A4/en
Application granted granted Critical
Publication of EP3267348B1 publication Critical patent/EP3267348B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Definitions

  • the present application relates to the field of computer technologies, and in particular, to a method and an apparatus for identifying a network risky behavior.
  • a network behavior refers to a process of acquiring, sending, or transmitting network data by each network individual in the network, which generally includes: information query, file downloading, mail sending, and the like.
  • abnormal network behaviors conducted by network individuals intentionally or unintentionally such as browsing information irrelevant to work by a company employee during work or illegally querying an expense history by network customer service staff, may cause loss.
  • a risk monitoring system for monitoring a network risky behavior comes into being.
  • a conventional risk monitoring system by constructing a rule engine, extracts and analyzes characteristics of network behaviors that conform to definitions of rules, thereby identifying risks of network behaviors.
  • the rules employed by the rule engine usually have vulnerabilities, and it is necessary to continuously add rules to remedy the vulnerabilities of the rules. This may definitely increase the workload of developers, and the efficiency is low.
  • the rule engine itself needs to consume extra computer resources, thus causing burden to a computer system.
  • US 2014/359777 A1 discloses a mobile device management server and method for determining the security risk for deployed mobile devices.
  • the mobile device management server receives risk measurements from mobile devices that are used to calculate a risk score based on rules.
  • the risk score can also be adjusted by correlating the received risk measurements with past security breaches or typical usage measurements.
  • the calculated risk score is compared to a one or more thresholds to determine whether to take a protective action that is associated with exceeding a threshold.
  • US 7 574 382 B1 discloses an anomaly detection engine monitors network traffic to detect orders placed by users from an electronic catalog of items, aggregates data about the detected orders by time period, and analyzes the aggregated data to detect anomalies in activity levels associated with specific items in the catalog.
  • a forecasting algorithm such as an exponential smoothing algorithm, is used to generate an expected order volume for a current time period, and the expected order volume is compared to an actual order volume.
  • Embodiments of the present application provide a method and an apparatus for identifying a risky behavior to solve the problem of low efficiency in the prior art caused by remedying a rule vulnerability during identification of a network behavior risk, and the problem that a rule engine consumes extra computer resources.
  • the at least one technical solution employed in the embodiments of the present application can achieve the following beneficial effects:
  • behavior data of a user is acquired, and a specific behavior link is selected from the behavior data;
  • a risk coefficient of the specific behavior link in the behavior data is determined by means of calculations, and finally, it is determined, according to the risk coefficient, whether the specific behavior link is risky.
  • the foregoing process it is unnecessary to remedy a rule vulnerability manually, thus improving the efficiency of behavior risk identification.
  • the foregoing process avoids the disadvantage that the rule engine consumes extra computer resources, thus alleviating burden of a computer system.
  • FIG. 1 shows a process of a method for identifying a risky behavior according to an embodiment of the present application, which includes the following steps: S11: Behavior data of a user is acquired.
  • the behavior data is obtained through a network monitoring system.
  • the network monitoring system monitors and controls computers in a network to record Internet activities (network behavior) conducted by users in the network in a time dimension.
  • the network monitoring system includes monitoring hardware or monitoring software, and the network includes a local area network, a metropolitan area network, or a wide area network.
  • the behavior data above is stored in a particular storage medium, and according to an actual analysis requirement, corresponding behavior data is extracted from the storage medium for analysis.
  • an e-business website is taken as an example to introduce the technical solutions of the present application.
  • the method for identifying a risky behavior is used for monitoring whether a network behavior of customer service staff of an e-business website is risky.
  • a specific behavior link is selected from the behavior data.
  • a behavior link refers to a combination obtained by sequentially arranging multiple behaviors according to occurrence times. As a behavior link is closer to an actual behavior intention of the user, the credibility of network behavior risk identification is improved.
  • FIG. 2 shows a process of selecting a specific behavior link from behavior data in a method for identifying a risky behavior according to an embodiment of the present application.
  • step S12 specifically includes the following steps: S121: Fragment data in a specific time period is selected from behavior data.
  • fragment data of the user M in a specific time period on a particular day D is extracted from the storage medium. If the specific time period is 15 minutes, for example, 13:10 to 13:25, the fragment data refers to data about behaviors conducted by the user M in the time period of 13:10 to 13:25 on that day.
  • behaviors conducted by the user M include a behavior X, a behavior Y, and a behavior Z.
  • S123 The behaviors are sorted in chronological order according to occurrence times to obtain a behavior link.
  • sorting is carried out in chronological order according to occurrence times of the behavior X, the behavior Y, and the behavior Z, and an obtained specific behavior link G is: behavior X ⁇ behavior ⁇ behavior Z.
  • S13 A risk coefficient of the specific behavior link in the behavior data is determined.
  • the risk coefficient is a numerical value for expressing the degree of rareness of a specific behavior link G.
  • a network behavior has a relatively high probability of occurrence, i.e., the network behavior is relatively common, it indicates that the network behavior is a normal behavior, e.g., a behavior of viewing shop information by customer service staff.
  • a network behavior has a relatively low probability of occurrence, i.e., the network behavior only occurs in extremely rare conditions, it indicates that the network behavior is a risky behavior, e.g., a behavior of querying expense histories of relatives and friends by customer service staff.
  • the present application judges, according to the risk coefficient, whether a network behavior is risky.
  • the foregoing risk coefficient includes one or more of a short-term risk coefficient a, a historical risk coefficient b, and a team risk coefficient c.
  • the short-term risk coefficient a refers to a degree of rareness of operating the specific behavior link G by the user M in a first time period t 1 (such as one day).
  • the historical risk coefficient b refers to a degree of rareness of operating the specific behavior link G by the user M in a total time length t 2 of registration of the user (an interval from a registration time to a current time). If it is defined that a user population to which the user M belongs is a user group and the user group includes multiple users, the team risk coefficient c refers to a degree of rareness of operating the specific behavior link G by the user group to which the user M belongs.
  • FIG. 3 shows a process of determining a short-term risk coefficient in a method for identifying a risky behavior according to an embodiment of the present application, which specifically includes the following steps: S131: A total number of operations s 1 that the user M operates all behavior links in a first time period t 1 is acquired.
  • the number of all behavior links i.e., the total number of operations s 1
  • the set first time period t 1 is one day, and thus the number of times (i.e., the number of operations s 2 ) that the user M operates the specific behavior link G on that day is counted. Specifically, if t G is 15 minutes, the day is divided into several 15-minute time slices, and it is sequentially judged whether the specific behavior link G occurs in each 15-minute time slice; if yes, the number of operations s 2 is incremented by 1, and if no, the number of operations s 2 is incremented by 0, till the number of operations s 2 on that day is obtained.
  • S133 A ratio of the total number of operations si to the number of operations s 2 is determined to obtain the short-term risk coefficient a.
  • FIG. 4 shows a process of determining a historical risk coefficient in a method for identifying a risky behavior according to an embodiment of the present application, which specifically includes the following steps: S134: A total time length t 2 of the user M from a registration time to to a current time t a is acquired.
  • the registration time t 0 of the user M in a customer service system of an e-business website is January 1 st , 2014, and a current time t a is January 1 st , 2015; in this case, the total time length t 2 is 365 days.
  • step of acquiring an actual time length t 3 that the user M operates the specific behavior link G calculation is carried out on a daily basis.
  • behavior data of the user M in the 365 days is split into 365 pieces of fragment data on a daily basis, and it is sequentially judged whether the specific behavior link G occurs in fragment data of each day; if yes, the actual time length t 3 is incremented by 1; and if no, the actual time length t 3 is incremented by 0, till the actual number of days (i.e., the actual time length t 3 ) that the user M operates the specific behavior link G is obtained.
  • the historical risk coefficient b is determined according to the total time length t 2 and the actual time length t 3 .
  • the total time length t 2 is relatively long (such as 3 years). Assuming that the actual time length t 3 that the old user operates the specific behavior link G is 2 days, it is finally concluded that the probability of operating the specific behavior link G by the old user in the total time length t 2 is relatively low. However, for a new user, as the user registers recently, the total time length t 2 is relatively short (such as 5 days). Assuming that the actual time length t 3 that the new user operates the specific behavior link G is 2 days, it is finally concluded that the probability of operating the specific behavior link G by the new user in the total time length t 2 is relatively high.
  • step S136 specifically includes: First of all, the total time length t 2 and the actual time length t 3 are smoothed to obtain a smooth total time length t 2k and a smooth actual time length t 3k .
  • the base of the logarithmic processing is not limited.
  • FIG. 5 shows a process of determining a team risk coefficient in a method for identifying a risky behavior according to an embodiment of the present application, which specifically includes the following steps: S137: A total number of users n included in a user group to which the use M belongs is determined.
  • the user M is customer service staff of an e-business website.
  • a department to which the user M belongs is the user group. It is assumed that the total number of users n included in this department is 20.
  • S138 An actual number of users m who have operated the specific behavior link G in a second time period t 4 is acquired in the user group.
  • the step S138 is used to count the number of persons who have operated the specific behavior link G (i.e., the actual number of users m) on a particular day among the 20 persons in the department to which the user M belongs. Specifically, behavior data of the 20 persons in the department on that day is separately acquired in advance, and then it is sequentially viewed whether the 20 users have operated the specific behavior link G on that day; if yes, the actual number of users m is incremented by 1; and if no, the actual number of users m is incremented by 0, till the actual number of users m who have operated the specific behavior link G on that day is obtained.
  • the specific behavior link G i.e., the actual number of users m
  • the team risk coefficient c is determined according to the total number of users n and the actual number of users m.
  • step S139 specifically includes: First of all, the total number of users n and the actual number of users m are smoothed to obtain a smooth total number of users p and a smooth actual number of users q.
  • the risk coefficient r a+b+c.
  • FIG. 6 shows a process of judging whether a specific behavior link is risky in a method for identifying a risky behavior according to an embodiment of the present application.
  • step S14 specifically includes: S141: Risk coefficients r of behavior links are sorted in descending order.
  • the extracted behavior data is all behavior links of the user M on a particular day D.
  • the behavior data there are 100 pieces of monitored behavior links; in this case, risk coefficients r 1 to r 100 of the 100 behavior links are separately determined according to the foregoing method, and then the risk coefficients r 1 to r 100 are sorted in descending order.
  • a higher rank of a risk coefficient indicates a higher degree of rareness of the behavior link and a higher risk coefficient thereof. Assuming that a preset risk rank is top 3, it is judged whether the risk coefficient r G corresponding to the specific behavior link G is ranked top 3.
  • the risk coefficient r G corresponding to the specific behavior link G is ranked top 3, it indicates that the specific behavior link G is risky, and subsequently, the specific behavior link G may be published as a risky behavior to tell customer service staff of an e-business website not to operate the behavior link.
  • FIG. 7 is a schematic structural diagram of an apparatus for identifying a risky behavior according to an embodiment of the present application. Based on the same idea, the apparatus includes:
  • the selection module 20 is specifically configured to:
  • the risk coefficient includes one or more of a short-term risk coefficient, a historical risk coefficient, and a team risk coefficient.
  • the determination module 30 includes a short-term risk determination module 31 configured to:
  • the determination module 30 includes a historical risk determination module 32 configured to:
  • the determination module 30 includes a team risk determination module 33 configured to:
  • the historical risk determination module 32 includes a first smoothing unit configured to:
  • the team risk determination module 33 includes a second smoothing unit configured to:
  • the determination module 30 is specifically configured to: multiply or sum the short-term risk coefficient, the historical risk coefficient, and the team risk coefficient to obtain the risk coefficient.
  • the judgment module 40 is specifically configured to:
  • the method and apparatus provided in the embodiments of the present application acquire behavior data of a user, select a specific behavior link from the behavior data, determine a risk coefficient of the specific behavior link in the behavior data by means of calculations, and finally, determine, according to the risk coefficient, whether the specific behavior link is risky.
  • it is unnecessary to remedy a rule vulnerability manually, thus improving the efficiency of behavior risk identification.
  • the foregoing process avoids the disadvantage that the rule engine consumes extra computer resources, thus alleviating burden of a computer system.
  • three factors short-term (such as a particular day), history (from a registration time to a current time), and team (a user group to which the user belongs), are comprehensively considered to analyze whether a behavior of a user is risky, thus reducing the impact of some sudden factor transitions (such as service orientation adjustment of the team or job transfer of the user) on the behavior link of the user, thereby improving the accuracy and credibility of risky behavior identification.
  • the apparatus for identifying a risky behavior disclosed in this specification is generated according to the same idea based on the method for identifying a risky behavior. Therefore, the method for identifying a risky behavior may continue to use all technical features of the above apparatus for identifying a risky behavior. Details are not described here again.
  • formulas for calculating the risk coefficients in the present application are not limited to the disclosed embodiments.
  • risk coefficients of behavior links are sorted in ascending order to judge whether the risk coefficient corresponding to the specific behavior link is in risk ranks.
  • the embodiments of the present invention may be provided as a method, a system, or a computer program product. Therefore, the present invention may be implemented in the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may employ the form of a computer program product implemented on one or more computer usable storage media (including, but not limited to, a magnetic disk memory, a CD-ROM, an optical memory, and the like) including computer usable program code.
  • a computer usable storage media including, but not limited to, a magnetic disk memory, a CD-ROM, an optical memory, and the like
  • These computer program instructions may be provided for a general-purpose computer, a special-purpose computer, an embedded processor, or a processor of another programmable data processing device to generate a machine, so that the instructions executed by a computer or a processor of another programmable data processing device generate an apparatus for implementing a specified function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
  • These computer program instructions may also be stored in a computer readable memory that can instruct the computer or another programmable data processing device to work in a particular manner, such that the instructions stored in the computer readable memory generate an article of manufacture that includes an instruction apparatus.
  • the instruction apparatus implements a specified function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
  • These computer program instructions may also be loaded onto a computer or another programmable data processing device, such that a series of operating steps are performed on the computer or another programmable device, thereby generating computer-implemented processing. Therefore, the instructions executed on the computer or another programmable device provide steps for implementing a specified function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
  • the computing device includes one or more processors (CPUs), an input/output interface, a network interface, and a memory.
  • the memory may include a volatile memory, a random access memory (RAM) and/or a non-volatile memory or the like in a computer readable medium, for example, a read-only memory (ROM) or a flash RAM.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash RAM
  • the computer readable medium includes non-volatile or volatile, and movable or non-movable media, and can implement information storage by means of any method or technology.
  • Information may be a computer readable instruction, a data structure, and a module of a program or other data.
  • a storage medium of a computer includes, for example, but is not limited to, a phase change memory (PRAM), a static random access memory (SRAM), a dynamic random access memory (DRAM), other types of random access memories (RAMs), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a flash memory or other memory technologies, a compact disc read-only memory (CD-ROM), a digital versatile disc (DVD) or other optical storages, a cassette tape, a magnetic tape/magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, and can be used to store information accessible to the computing device.
  • the computer readable medium does not include transitory media, such as a modulated data signal and a carrier.
  • the terms “include”, “comprise”, or any variants thereof are intended to cover a non-exclusive inclusion, such that a process, a method, a commodity or a device that includes a series of elements not only includes such elements but also includes other elements not specified expressly, or may further include inherent elements of the process, method, commodity, or device. Without more restrictions, an element limited by the phrase “include a/an" does not exclude other same elements existing in the process, method, commodity, or device that includes the element.
  • the embodiments of the present application may be provided as a method, a system, or a computer program product. Therefore, the present application may be implemented in the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present application may employ the form of a computer program product implemented on one or more computer usable storage media (including, but not limited to, a magnetic disk memory, a CD-ROM, an optical memory, and the like) including computer usable program code.
  • a computer usable storage media including, but not limited to, a magnetic disk memory, a CD-ROM, an optical memory, and the like

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Transfer Between Computers (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
EP16758446.5A 2015-03-02 2016-02-24 Method and apparatus for recognizing risk behavior Active EP3267348B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PL16758446T PL3267348T3 (pl) 2015-03-02 2016-02-24 Sposób i urządzenie do rozpoznawania ryzykownego zachowania

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510093725.4A CN105989155B (zh) 2015-03-02 2015-03-02 识别风险行为的方法及装置
PCT/CN2016/074424 WO2016138830A1 (zh) 2015-03-02 2016-02-24 识别风险行为的方法及装置

Publications (3)

Publication Number Publication Date
EP3267348A1 EP3267348A1 (en) 2018-01-10
EP3267348A4 EP3267348A4 (en) 2018-10-31
EP3267348B1 true EP3267348B1 (en) 2020-04-08

Family

ID=56848744

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16758446.5A Active EP3267348B1 (en) 2015-03-02 2016-02-24 Method and apparatus for recognizing risk behavior

Country Status (9)

Country Link
US (1) US10601850B2 (enExample)
EP (1) EP3267348B1 (enExample)
JP (1) JP6734293B2 (enExample)
KR (1) KR102125116B1 (enExample)
CN (1) CN105989155B (enExample)
ES (1) ES2801273T3 (enExample)
PL (1) PL3267348T3 (enExample)
SG (1) SG11201707032UA (enExample)
WO (1) WO2016138830A1 (enExample)

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106529288A (zh) * 2016-11-16 2017-03-22 智者四海(北京)技术有限公司 一种帐号风险识别方法及装置
CN108229963B (zh) * 2016-12-12 2021-07-30 创新先进技术有限公司 用户操作行为的风险识别方法及装置
CN108427624B (zh) * 2017-02-13 2021-03-02 创新先进技术有限公司 一种系统稳定性风险的识别方法以及设备
CN108449307B (zh) * 2017-02-16 2020-12-29 上海行邑信息科技有限公司 一种用于识别风险设备的方法
US10623431B2 (en) * 2017-05-15 2020-04-14 Forcepoint Llc Discerning psychological state from correlated user behavior and contextual information
US10943019B2 (en) 2017-05-15 2021-03-09 Forcepoint, LLC Adaptive trust profile endpoint
US10129269B1 (en) 2017-05-15 2018-11-13 Forcepoint, LLC Managing blockchain access to user profile information
US9882918B1 (en) 2017-05-15 2018-01-30 Forcepoint, LLC User behavior profile in a blockchain
US10999296B2 (en) 2017-05-15 2021-05-04 Forcepoint, LLC Generating adaptive trust profiles using information derived from similarly situated organizations
US10862927B2 (en) * 2017-05-15 2020-12-08 Forcepoint, LLC Dividing events into sessions during adaptive trust profile operations
US10917423B2 (en) 2017-05-15 2021-02-09 Forcepoint, LLC Intelligently differentiating between different types of states and attributes when using an adaptive trust profile
US10999297B2 (en) 2017-05-15 2021-05-04 Forcepoint, LLC Using expected behavior of an entity when prepopulating an adaptive trust profile
US10447718B2 (en) 2017-05-15 2019-10-15 Forcepoint Llc User profile definition and management
CN107517203B (zh) * 2017-08-08 2020-07-14 奇安信科技集团股份有限公司 一种用户行为基线建立方法及装置
CN107566163B (zh) * 2017-08-10 2020-11-06 奇安信科技集团股份有限公司 一种用户行为分析关联的告警方法及装置
CN108304308A (zh) * 2018-02-07 2018-07-20 平安普惠企业管理有限公司 用户行为监控方法、装置、计算机设备和存储介质
US10997295B2 (en) 2019-04-26 2021-05-04 Forcepoint, LLC Adaptive trust profile reference architecture
US11621974B2 (en) * 2019-05-14 2023-04-04 Tenable, Inc. Managing supersedence of solutions for security issues among assets of an enterprise network
CN110457896A (zh) * 2019-07-02 2019-11-15 北京人人云图信息技术有限公司 在线访问的检测方法及检测装置
US12216791B2 (en) 2020-02-24 2025-02-04 Forcepoint Llc Re-identifying pseudonymized or de-identified data utilizing distributed ledger technology
CN111582722B (zh) * 2020-05-09 2022-06-07 拉扎斯网络科技(上海)有限公司 风险识别方法、装置、电子设备及可读存储介质
CN114764418B (zh) * 2020-12-31 2025-02-28 北京达佳互联信息技术有限公司 风险检测方法、装置、电子设备及存储介质
CN112866230B (zh) * 2021-01-13 2023-05-16 深信服科技股份有限公司 一种风险检测方法、装置及存储介质
CN112927068B (zh) * 2021-03-30 2024-08-20 善诊(上海)信息技术有限公司 业务数据风险分类门限确定方法、装置、设备及存储介质
CN113051560B (zh) * 2021-04-13 2024-05-24 北京安天网络安全技术有限公司 终端行为的安全识别方法和装置

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150039513A1 (en) * 2014-02-14 2015-02-05 Brighterion, Inc. User device profiling in transaction authentications

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7953814B1 (en) * 2005-02-28 2011-05-31 Mcafee, Inc. Stopping and remediating outbound messaging abuse
US7574382B1 (en) * 2004-08-03 2009-08-11 Amazon Technologies, Inc. Automated detection of anomalous user activity associated with specific items in an electronic catalog
CA2531410A1 (en) * 2005-12-23 2007-06-23 Snipe Network Security Corporation Behavioural-based network anomaly detection based on user and group profiling
US7574832B1 (en) 2007-01-24 2009-08-18 Lieberman Phillip L Portable telescoping tower assembly
JP2010108469A (ja) * 2008-10-01 2010-05-13 Sky Co Ltd 操作監視システム及び操作監視プログラム
US8356001B2 (en) * 2009-05-19 2013-01-15 Xybersecure, Inc. Systems and methods for application-level security
US8566956B2 (en) 2010-06-23 2013-10-22 Salesforce.Com, Inc. Monitoring and reporting of data access behavior of authorized database users
US9058486B2 (en) * 2011-10-18 2015-06-16 Mcafee, Inc. User behavioral risk assessment
CN104956373A (zh) * 2012-12-04 2015-09-30 惠普发展公司,有限责任合伙企业 确定异常网络行为的可疑根本原因
US8850517B2 (en) 2013-01-15 2014-09-30 Taasera, Inc. Runtime risk detection based on user, application, and system action sequence correlation
CN103297267B (zh) * 2013-05-10 2016-05-11 中华通信系统有限责任公司河北分公司 一种网络行为的风险评估方法和系统
US20140359777A1 (en) * 2013-05-31 2014-12-04 Fixmo, Inc. Context-aware risk measurement mobile device management system
CN104376266B (zh) * 2014-11-21 2017-09-15 工业和信息化部电信研究院 应用软件安全级别的确定方法及装置
US10075474B2 (en) * 2015-02-06 2018-09-11 Honeywell International Inc. Notification subsystem for generating consolidated, filtered, and relevant security risk-based notifications

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150039513A1 (en) * 2014-02-14 2015-02-05 Brighterion, Inc. User device profiling in transaction authentications

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DAISUKE MASHIMA ET AL: "Using identity credential usage logs to detect anomalous service accesses", PROCEEDINGS OF THE 5TH ACM WORKSHOP ON DIGITAL IDENTITY MANAGEMENT, DIM '09, ACM PRESS, NEW YORK, NEW YORK, USA, 13 November 2009 (2009-11-13), pages 73 - 80, XP058220855, ISBN: 978-1-60558-786-8, DOI: 10.1145/1655028.1655044 *

Also Published As

Publication number Publication date
US10601850B2 (en) 2020-03-24
ES2801273T3 (es) 2021-01-08
PL3267348T3 (pl) 2020-11-16
KR102125116B1 (ko) 2020-06-22
CN105989155B (zh) 2019-10-25
WO2016138830A1 (zh) 2016-09-09
KR20170125864A (ko) 2017-11-15
JP2018510422A (ja) 2018-04-12
EP3267348A1 (en) 2018-01-10
US20180013780A1 (en) 2018-01-11
SG11201707032UA (en) 2017-09-28
CN105989155A (zh) 2016-10-05
EP3267348A4 (en) 2018-10-31
JP6734293B2 (ja) 2020-08-05

Similar Documents

Publication Publication Date Title
EP3267348B1 (en) Method and apparatus for recognizing risk behavior
US10248528B2 (en) System monitoring method and apparatus
US10878102B2 (en) Risk scores for entities
CN105808639B (zh) 网络访问行为识别方法和装置
US20170251007A1 (en) Automated computer behavioral analysis system and methods
US11250043B2 (en) Classification of log data
US11201802B2 (en) Systems and methods for providing infrastructure metrics
Zhang et al. Dynamic risk-aware patch scheduling
CN113095604B (zh) 产品数据的融合方法、装置、设备及存储介质
CN118764318B (zh) 一种基于大数据的计算机网络信息安全分析方法与系统
CN119089349B (zh) 一种能源互联网营销服务系统的运行监控方法及装置
CN118133290A (zh) 信息技术系统的安全评估方法、装置和电子设备
JP6247749B2 (ja) 情報漏洩検知装置、情報漏洩検知方法、および情報漏洩検知プログラム
CN119379437A (zh) 基于供应链金融日志的交易风控分析方法、设备及介质
CN105868991B (zh) 识别机器辅助作弊的方法和装置
EP4252110A1 (en) Anomaly detection using embedding space representation of system states
CN119088830A (zh) 一种适用于会计金融管理的数据处理系统
EP3556084B1 (en) Application-sensitive strategy for server decommissioning
CN120105475B (zh) 一种基于大数据的商务数据安全管理系统及方法
JP7302668B2 (ja) レベル推定装置、レベル推定方法、および、レベル推定プログラム
CN117950891A (zh) 业务异常的处理方法、装置、电子设备及存储介质
CN117389827A (zh) 故障定位方法、装置、电子设备和计算机可读介质
CN121000491A (zh) 基于云平台的企业数据安全管理系统
CN118070173A (zh) 异常操作用户的确定方法、装置及电子设备
AU2022432100A1 (en) Organization segmentation for anomaly detection

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20171002

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20181004

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 21/55 20130101AFI20180927BHEP

Ipc: H04W 12/12 20090101ALI20180927BHEP

Ipc: H04L 29/06 20060101ALI20180927BHEP

Ipc: G06F 21/57 20130101ALI20180927BHEP

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20190923

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1255348

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200415

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602016033641

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: FI

Ref legal event code: FGE

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: NOVAGRAAF INTERNATIONAL SA, CH

REG Reference to a national code

Ref country code: NL

Ref legal event code: FP

REG Reference to a national code

Ref country code: NO

Ref legal event code: T2

Effective date: 20200408

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200709

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200817

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200808

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1255348

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200408

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200708

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

REG Reference to a national code

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2801273

Country of ref document: ES

Kind code of ref document: T3

Effective date: 20210108

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602016033641

Country of ref document: DE

REG Reference to a national code

Ref country code: CH

Ref legal event code: PUE

Owner name: ADVANCED NEW TECHNOLOGIES CO., LTD., KY

Free format text: FORMER OWNER: ALIBABA GROUP HOLDING LIMITED, KY

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

REG Reference to a national code

Ref country code: DE

Ref legal event code: R082

Ref document number: 602016033641

Country of ref document: DE

Representative=s name: FISH & RICHARDSON P.C., DE

Ref country code: DE

Ref legal event code: R081

Ref document number: 602016033641

Country of ref document: DE

Owner name: ADVANCED NEW TECHNOLOGIES CO., LTD., GEORGE TO, KY

Free format text: FORMER OWNER: ALIBABA GROUP HOLDING LIMITED, GEORGE TOWN, GRAND CAYMAN, KY

REG Reference to a national code

Ref country code: NO

Ref legal event code: CHAD

Owner name: ADVANCED NEW TECHNOLOGIES CO., KY

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

REG Reference to a national code

Ref country code: GB

Ref legal event code: 732E

Free format text: REGISTERED BETWEEN 20210211 AND 20210217

26N No opposition filed

Effective date: 20210112

REG Reference to a national code

Ref country code: FI

Ref legal event code: PCE

Owner name: ADVANCED NEW TECHNOLOGIES CO., LTD.

REG Reference to a national code

Ref country code: ES

Ref legal event code: PC2A

Owner name: ADVANTAGEOUS NEW TECHNOLOGIES CO., LTD.

Effective date: 20210317

REG Reference to a national code

Ref country code: ES

Ref legal event code: PC2A

Owner name: ADVANCED NEW TECHNOLOGIES CO., LTD.

Effective date: 20210322

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

REG Reference to a national code

Ref country code: NL

Ref legal event code: PD

Owner name: ADVANCED NEW TECHNOLOGIES CO., LTD.; KY

Free format text: DETAILS ASSIGNMENT: CHANGE OF OWNER(S), ASSIGNMENT; FORMER OWNER NAME: ALIBABA GROUP HOLDING LIMITED

Effective date: 20210712

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20210228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210224

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210224

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210228

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: TR

Payment date: 20230214

Year of fee payment: 8

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230521

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20160224

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FI

Payment date: 20231226

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: ES

Payment date: 20240307

Year of fee payment: 9

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: CH

Payment date: 20240301

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NO

Payment date: 20240208

Year of fee payment: 9

Ref country code: IT

Payment date: 20240111

Year of fee payment: 9

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200408

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: PL

Payment date: 20240226

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20241231

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NL

Payment date: 20250107

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20241231

Year of fee payment: 10

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20250102

Year of fee payment: 10

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20250224

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NO

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20250228

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20250228